DigestAuth
The DigestAuth middleware grants access to services to authorized users only.
Configuration Options
tip
Use htdigest to generate passwords.
users
| Field | Description |
|---|---|
users | The users option is an array of authorized users. Each user will be declared using the name:realm:encoded-password format. |
note
- If both
usersandusersFileare provided, the two are merged. The contents ofusersFilehave precedence over the values inusers. - For security reasons, the field
usersdoesn't exist for Kubernetes IngressRoute, and one should use thesecretfield instead.
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
digestAuth:
secret: authsecret
---
apiVersion: v1
kind: Secret
metadata:
name: authsecret
namespace: default
data:
users: |2
dGVzdDp0cmFlZmlrOmEyNjg4ZTAzMWVkYjRiZTZhMzc5N2YzODgyNjU1YzA1CnRlc3QyOnRyYWVmaWs6NTE4ODQ1ODAwZjllMmJmYjFmMWY3NDBlYzI0ZjA3NGUKCg==
usersFile
| Field | Description |
|---|---|
usersFile | The usersFile option is the path to an external file that contains the authorized users for the middleware. |
The file content is a list of name:realm:encoded-password.
note
- If both
usersandusersFileare provided, the two are merged. The contents ofusersFilehave precedence over the values inusers. - Because it does not make much sense to refer to a file path on Kubernetes, the
usersFilefield doesn't exist for Kubernetes IngressRoute, and one should use thesecretfield instead.
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
digestAuth:
secret: authsecret
---
apiVersion: v1
kind: Secret
metadata:
name: authsecret
namespace: default
data:
users: |2
dGVzdDokYXByMSRINnVza2trVyRJZ1hMUDZld1RyU3VCa1RycUU4d2ovCnRlc3QyOiRhcHIxJGQ5
aHI5SEJCJDRIeHdnVWlyM0hQNEVzZ2dQL1FObzAK
Example of a file containing test/test and test2/test2
test:traefik:a2688e031edb4be6a3797f3882655c05
test2:traefik:518845800f9e2bfb1f1f740ec24f074e
realm
| Field | Description | Default |
|---|---|---|
realm | You can customize the realm for the authentication with the realm option. | traefik |
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
digestAuth:
realm: MyRealm
headerField
| Field | Description |
|---|---|
headerField | You can customize the header field for the authenticated user using the headerFieldoption. |
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: my-auth
spec:
digestAuth:
headerField: X-WebAuth-User
removeHeader
| Field | Description | Default |
|---|---|---|
removeHeader | Set the removeHeader option to true to remove the authorization header before forwarding the request to your service. | false |
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
digestAuth:
removeHeader: true
Example
Declaring the user list
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: test-auth
spec:
digestAuth:
secret: userssecret